Syrian malware threat to cyberspace
The geopolitical conflicts of the Middle East have deepened in the last few years, particularly in Syria. The cyberspace conflict there is intensifying as sides try to tip the struggle in their favor by exploiting cyber intelligence and making use of obfuscation.
Kaspersky Lab warns users of the dangers posed by Syrian malwar
19th August 2014
The geopolitical conflicts of the Middle East have deepened in the last few years, particularly in
“A combination of factors – social engineering, rapid app development and remote administration tools for taking over the victim’s entire system – creates a worrying scenario for unsuspecting users. We expect attacks by Syrian malware to continue and evolve both in quality and quantity. Therefore, users should be especially careful of suspicious links, double check their downloads and have a reliable and comprehensive security solution installed,” said Ghareeb Saad, Senior Security Researcher, Global Research & Analysis Team at Kaspersky Lab.
The last few years have thrown cyber attacks in
Kaspersky Lab’s research shows that cybercriminals are exploiting the situation in the region to create a multitude of malware capable of accessing users’ data. Syrian malware relies heavily on social engineering and leveraging trust in order to achieve rapid propagation and infection. The malware is disguised in different ways, including fake antivirus scanners, social messaging apps, Trojan-embedded legitimate system utilities, downloads in social networks and free public file-sharing services.
In the samples analyzed, the cybercriminals usually attempted to achieve complete system monitoring with the help of the infamous remote administration tool (RAT) Dark Comet, which not only sends every key stroke almost instantly to a remote server but also leaves the infected system vulnerable to exploit by the attackers. The use of high-level programming languages means the malware writers can easily modify their creations, making it possible to test new malicious campaigns with minimal effort and to craft targeted attacks in no time. Syrian malware has also been evolving, and shows no sign of abating any time soon.
Examples of Syrian malware
Cybercriminals make widespread use of disturbing videos to grab users’ attention and spread malware. One example of this was a video showing the injured victims of a recent bombing that was used to strike fear into viewers and make them download a malicious app from a public file sharing website. The file proved to be heavily obfuscated with the commercial utility “MaxToCode” in order to avoid early detection by antivirus solutions. After execution, however, another executable file was created that communicates with the remote access tool. The Trojan in this case is used to disable parts of the security setup, save all the key strokes and system information, and resend it when an Internet connection is made.
Among the malware samples reviewed by Kaspersky Lab was a compressed set of files found in a popular social networking site that allegedly listed activists and wanted individuals in
Fake applications including fake ant viruses are popular among cybercriminals. Calculators, game loaders, and more, are used to spread malware. One such example is “Ammazon Internet Security” – a malicious application that tries to mimic a security scanner. Analysis of the code revealed a lot of functionality linked to user interface, but no real security features. With nothing more than a couple of buttons and a catchy name, the Syrian malware groups are hoping the intended victims will fall into their trap. The silent execution of a remote administration tool while the “security suite” is launched leaves the victims’ computers with no protection and an RAT installed.
Instant messaging applications for desktop operating systems are among the tools used to spread malicious programs and Syrian malware authors take advantage of these as well. In contrast to “Ammazon Internet Security”, these samples don’t have a graphical user interface or even a message warning the user to worry about their security; they move directly to infect the system.
The research showed that even legitimate applications are being used with embedded malware to spy on Syrian citizens. Offering security applications that protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs. One example is a version of the Total Network Monitor software modified by cybercriminals to dump system information while hiding all malicious activity until the “legitimate” tool is completely installed.
Understanding the trap
Syrian malware relies heavily on social engineering and the active development of more technologically complex malicious variants. Nevertheless, most of them quickly reveal their true nature when inspected closely and that’s one of the main reasons for urging Syrian users to double check the source of their downloads and to implement a layered defense approach. Having an up-to-date, genuine antivirus and firewall should be the first measure implemented by users who perform any type of online activity, especially during these uncertain times when new cyber threats are appearing almost daily.
Antivirus software utilizes either signature or heuristic-based detection to identify malware. Signature detection involves a search for a unique sequence of bytes that is specific to a piece of malicious code, while heuristic detection identifies malware based on program behavior. In Kaspersky Lab’s research more than 80 malware samples used to attack Syrian citizens and
To learn more, read the blog post available at Securelist.com.